Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Apr 2004
    Posts
    684
    Thanks
    24
    Thanked 1 Time in 1 Post

    Problem with returning correct user input when it includes quotes

    I have a page with several form fields which the user sets & if they don't fill something in correctly I put an error at the top of the page & then reload all the code below & fill in all the fields they had already filled in... however, if the user inputs any quotes in their input, then when the error page loads it doesn't display the fields correctly.... examples:

    If they input:

    Fast "cars" & produce an error

    The page will reload with:

    Fast \ in the field

    If they input:

    "Cars"

    The page will reload with:

    \ in the field.


    So I tried to replace the " with a \" with the below "preg_replace" code..

    PHP Code:
    $radiovaluesub 'fmradiovb' $radioname '-' $radioq2;

    $rbvsstrip $_SESSION['fm'][$radiovaluesub];

    $rbvs preg_replace('\"','\\"',$rbvsstrip); 
    ..hoping it would work but now I'm getting errors..

    Any help here?
    Last edited by cyphix; 06-02-2004 at 03:51 PM.

  • #2
    Regular Coder
    Join Date
    May 2004
    Location
    sweden
    Posts
    236
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Gotta have those error texts also. But I think that using str_replace might be faster and easier.

    str_replace ("\"","\\\"",$rbvsstrip)
    Carl McDade
    _____________
    Hiveminds Magazine
    for web publisher and community builders
    eRuby Tutorials

  • #3
    Regular Coder
    Join Date
    Apr 2004
    Posts
    684
    Thanks
    24
    Thanked 1 Time in 1 Post
    Hmmmm.... got no errors with that but still not returned correctly!

    Fast "Cars" is now returned as:

    Fast \\


    Any ideas?

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    look also at addslashes() && stripslashes() , addslashes makes the code safe for insertion into the DB (mysql_escape_field() is available as well) , stripslashes clears it up for display in your forms.

    for display ...
    <input type="text" name="name" value="<?=stripslashes($_POST['name']);?>">

    for sticking in the DB ..

    "UPDATE blah SET name='".addslashes($_POST['name'])."' ..etc

    now this gets funky when different servers have different php.ini settings .. some servers will have magic_quotes_gpc = On , which automatically escapes GET,POST and COOKIE variables ,thats what your server is doing right now ! , and thats where the slashes are coming from , so really you do not need to addslashes yourself.
    So you really need to check the server settings (ini_get()) and decide whether you need to addslashes() or not.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    Regular Coder
    Join Date
    Apr 2004
    Posts
    684
    Thanks
    24
    Thanked 1 Time in 1 Post
    Hmm... that'll remove the slashes but it won't return anything after it.

    Example:

    Before:

    "Fast"

    Would return:

    \

    Now:

    "Fast"

    returns:

    nothing (a blank area).

    So it is stripping the slahses but it's not leaving the user data there.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •